71 Information Governance Policy Development .docx
1. 71
Information
Governance Policy
Development
C H A P T E R 6
To develop an information governance (IG) policy, you must
inform and frame the policy with internal and external
frameworks, models, best practices, and standards—those that
apply to your organization and the scope of its planned IG
program. In this chapter, we fi rst present and discuss major IG
frameworks and models
and then identify key standards for consideration.
A Brief Review of Generally Accepted Recordkeeping
Principles®
In Chapter 3 we introduced and discussed ARMA
International’s eight Generally
Accepted Recordkeeping Principles ® , known as The Principles
1 (or sometimes GAR
Principles). These Principles and associated metrics provide an
IG framework that can
support continuous improvement.
To review, the eight Principles are:
1. Accountability
2. Transparency
3. Integrity
2. 4. Protection
5. Compliance
6. Availability
7. Retention
8. Disposition2
The Principles establish benchmarks for how organizations of
all types and sizes
can build and sustain compliant, legally defensible records
management (RM)t
programs. Using the maturity model (also presented in Chapter
3 ), organizations can
assess where they are in terms of IG, identify gaps, and take
steps to improve across the
eight areas The Principles cover.
72 INFORMATION GOVERNANCE
IG Reference Model
In late 2012, with the support and collaboration of ARMA
International and the Com-
pliance, Governance and Oversight Council (CGOC), the
Electronic Discovery Ref-
erence Model (EDRM) Project released version 3.0 of its
Information Governance
Reference Model (IGRM), which added information privacy
and security “as pri-y
mary functions and stakeholders in the effective governance of
information.” 3 The
model is depicted in Figure 6.1 .
The IGRM is aimed at fostering IG adoption by facilitating
communication and
3. collaboration between disparate (but overlapping) IG
stakeholder functions, includ-
ing information technology (IT), legal, RM, risk management,
and business unit
Figure 6.1 Information Governance Reference Model
Source: EDRM.net
Linking duty + value to information asset = efficient, effective
management
Duty:
Legal obligation
for specific
information
Value:
Utility or business
purpose of specific
information
Asset:
Specific container
of information
VALUE
Create, Use
DUTY ASSET
Dispose
Hold,
Discover
6. implementing the procedures
and structural elements to put them into practice. It requires:
■ An understanding of the business imperatives of the
enterprise,
■ Knowledge of the appropriate tools and infrastructure for
managing informa-
tion, and
■ Sensitivity to the legal and regulatory obligations with
which the enterprise
must comply.
For any piece of information you hope to manage, the primary
stakeholder is the business
user of that information [emphasis added]. We use the term
“business” broadly; the same
ideas apply to end users of information in organizations whose
ultimate goal might not
be to generate a profi t.
Once the business value is established, you must also
understand the legal duty at-
tached to a piece of information. The term “legal” should also
be read broadly to refer
to a wide range of legal and regulatory constraints and
obligations, from e-discovery
and government regulation to contractual obligations such as
payment card industry
requirements.
Finally, IT organizations must manage the information
accordingly, ensuring pri-
vacy and security as well as appropriate retention as dictated by
both business and legal
7. or regulatory requirements.
* This section is adapted with permission by EDRM.net,
http://www.edrm.net/resources/guides/igrm (accessed
January 24, 2014).
You must inform and frame IG policy with internal and
external frameworks,
models, best practices, and standards.
http://www.edrm.net/resources/guides/igrm
74 INFORMATION GOVERNANCE
Center
In the center of the diagram is a work-fl ow or life-cycle
diagram. We include this com-
ponent in the diagram to illustrate the fact that information
management is important
at all stages of the information life cycle—from its creation
through its ultimate disposition.
This part of the diagram, once further developed, along with
other secondary-level
diagrams, will outline concrete, actionable steps that
organizations can take in imple-
menting information management programs.
Even the most primitive business creates information in the
course of daily operations,
and IT departments spring up to manage the logistics; indeed,
one of the biggest challeng-
es in modern organizations is trying to stop individuals from
excess storing and securing
of information. Legal stakeholders can usually mandate the
8. preservation of what is most
critical, though often at great cost. However, it takes the
coordinated effort of all three
groups to defensibly dispose of a piece of information that has
outlived its usefulness and
retain what is useful in a way that enables accessibility and
usability for the business user. s
How the IGRM Complements the Generally Accepted
Recordkeeping Principles *
The IGRM supports ARMA International’s “Principles” by
identifying the cross-
functional groups of key information governance stakeholders
and by depicting
their intersecting objectives for the organization. This
illustration of the relation-
ship among duty, value, and the information asset demonstrates
cooperation among
stakeholder groups to achieve the desired level of maturity of
effective information
governance.
Effective IG requires a continuous and comprehensive focus.
The IGRM will be
used by proactive organizations as an introspective lens to
facilitate visualization and
discussion about how best to apply The Principles. The IGRM
puts into sharp focus
The Principles and provides essential context for the maturity
model.
* This section is adapted with permission by EDRM.net,
http://www.edrm.net/resources/guides/igrm (accessed
January 24, 2014).
9. The business user is the primary stakeholder of managed
information.
Information management is important at all stages of the life
cycle.
Legal stakeholders can usually mandate the preservation of
what is most criti-
cal, though often at great cost.
http://www.edrm.net/resources/guides/igrm
INFORMATION GOVERNANCE POLICY DEVELOPMENT 75
Best Practices Considerations
IG best practices should also be considered in policy
formulation . Best practices in IG are evolv-
ing and expanding, and those that apply to organizational
scenarios may vary. A best
practices review should be conducted, customized for each
particular organization.
In Chapter 5 , we provided a list of 25 IG best practices, with
some detail. The IG
world is maturing, and more best practices will evolve. The 25
best practices, summa-
rized next, are fairly generic and widely applicable.
1. IG is a key underpinning for a successful ERM program.
2. IG is not a project but rather an ongoing program.
3. Using an IG framework or maturity model is helpful in
assessing and guiding
IG programs.
10. 4. Defensible deletion of data debris and information that no
longer has value is
critical in the era of Big Data.
5. IG policies must be developed before enabling
technologies are added to as-
sist in enforcement.
6. To provide comprehensive e-document security throughout
a document’s life
cycle, documents must be secured upon creation using highly
sophisticated
technologies, such as information rights management (IRM)
technology.
7. A records retention schedule and legal hold notifi cation
process (LHN) are
the two primary elements of a fundamental IG program.
8. A cross-functional team is required to implement IG.
9. The fi rst step in information risk planning is to consider
the applicable laws
and regulations that apply to your organization in the
jurisdictions in which it
conducts business.
10. A risk profi le is a basic building block in enterprise risk
management, assisting
executives in understanding the risks associated with stated
business objec-
tives and in allocating resources within a structured evaluation
approach or
framework.
11. 11. An information risk mitigation plan is a critical part of
the IG planning
process. An information risk mitigation plan involves
developing risk mitiga-
tion options and tasks to reduce the specifi ed risks and improve
the odds of
achieving business objectives. 7
12. Proper metrics are required to measure the conformance
and performance of
your IG program.
13. IG programs must be audited for effectiveness.
14. An enterprise-wide retention schedule is preferable
because it eliminates the
possibility that different business units will have different
records retention
periods.
The IGRM was developed by the EDRM Project to foster
communication
among stakeholders and adoption of IG. It complements
ARMA’s Generally
Accepted Recordkeeping Principles.
76 INFORMATION GOVERNANCE
15. Senior management must set the tone and lead sponsorship
for vital records
program governance and compliance.
16. Business processes must be redesigned to improve the
management of electron-
12. ic records or implement an electronic records management
(ERM) system. t
17. E-mail messages, both inbound and outbound, should be
archived automati-
cally and (preferably) in real time.
18. Personal archiving of e-mail messages should be
disallowed.
19. Destructive retention of e-mail helps to reduce storage
costs and legal risk
while improving “fi ndability” of critical records.
20. Take a practical approach and limit cloud use to documents
that do not have
long retention periods and carry a low litigation risk.
21. Manage social media content by IG policies and monitor it
with controls that en-
sure protection of critical information assets and preservation of
business records.
22. International and national standards provide effective
guidance for imple-
menting IG.
23. Creating standardized metadata terms should be part of an
IG effort that
enables faster, more complete, and more accurate searches and
retrieval of
records. 8
24. Some digital information assets must be preserved
permanently as part of an
organization’s documentary heritage.
13. 25. Executive sponsorship is crucial.
Standards Considerations
Standards must also be considered in policy development. There
are two general types
of standards: de jure and de facto. De jure (“the law”)
standards are those published by
recognized standards-setting bodies, such as the International
Organization for Stan-
dardization (ISO), American National Standards Institute
(ANSI), National Institute
of Standards and Technology (NIST—this is how most people
refer to it, as they do
not know what the acronym stands for), British Standards
Institute (BSI), Standards
Council of Canada, and Standards Australia. Standards
promulgated by authorities
such as these have the formal status of standards.
De facto (“the fact”) standards are not formal standards but are
regarded by
many as if they were. They may arise though popular use (e.g.,
Windows at the busi-
ness desktop in the 2001–2010 decade) or may be published by
other bodies, such as
the U.S. National Archives and Records Administration (NARA)
or Department of
Defense (DoD) for the U.S. military sector. They may also be
published by formal
standards-setting bodies without having the formal status of a
“standard” (such as
some technical reports published by ISO). 9
Benefi ts and Risks of Standards
14. Some benefi ts of developing and promoting standards are:
■ Quality assurance support. If a product meets a standard,
you can be confi dent of
a certain level of quality.
INFORMATION GOVERNANCE POLICY DEVELOPMENT 77
■ Interoperability support. Some standards are detailed and
mature enough to allow
for system interoperability between different vendor platforms.
■ Implementation frameworks and certifi cation checklists.
These help to provide
guides for projects and programs to ensure all necessary steps
are taken.
■ Cost reduction , due to supporting uniformity of systems.
Users have lower main-
tenance requirements and training and support costs when
systems are more
uniform.
■ International consensus. Standards can represent “best
practice” recommenda-
tions based on global experiences. 10
Some downside considerations are:
■ Possible decreased fl exibility in development or
implementation. Standards can, at
times, act as a constraint when they are tied to older
technologies or methods,
15. which can reduce innovation.
■ “Standards confusion” from competing and overlapping
standards. For instance, ”
an ISO standard may be theory-based and use different
terminology, whereas
regional or national standards are more specifi c, applicable,
and understandable
than broad international ones.
■ Real-world shortcomings due to theoretical basis. Standards
often are guides based
on theory rather than practice.
■ Changing and updating requires cost and maintenance. There
are costs to develop-
ing, maintaining, and publishing standards. 11
Key Standards Relevant to IG Efforts
Below we introduce and discuss some established standards that
should be researched
and considered as a foundation for developing IG policy.
Risk Management
ISO 31000:2009 is a broad, industry-agnostic (not specifi c to
vertical markets) risk
management standard. It states “principles and generic
guidelines” of risk manage-
ment that can be applied to not only IG but also to a wide range
of organizational ac-
tivities and processes throughout the life of an organization.12
It provides a structured
framework within which to develop and implement risk
management strategies and
16. programs.
ISO 31000 defi nes a risk management framework as a set of
two basic compo-k
nents that “support and sustain risk management throughout an
organization.” 13 The
stated components are: foundations, which are high level and
include risk management
policy, objectives, and executive edicts; and organizational
arrangements, which are
more specifi c and actionable, including strategic plans, roles
and responsibilities, al-
located budget, and business processes that are directed toward
managing an organiza-
tion’s risk.
Additional risk management standards may be relevant to your
organization’s IG
policy development efforts, depending on your focus, scope,
corporate culture, and
demands of your IG program executive sponsor.
78 INFORMATION GOVERNANCE
Information Security and Governance
ISO/IEC 27001:2005 is an information security management
system (ISMS) stan-
dard that provides guidance in the development of security
controls to safeguard
information assets. Like ISO 31000, the standard is applicable
to all types of organiza-
tions, irrespective of vertical industry. 14 It “specifi es the
requirements for establishing,
17. implementing, operating, monitoring, reviewing, maintaining
and improving a docu-
mented information security management system within the
context of the organiza-
tion’s overall business risks.”
ISO/IEC 27001 is fl exible enough to be applied to a variety of
activities and pro-
cesses when evaluating and managing information security
risks, requirements, and
objectives, and compliance with applicable legal and regulatory
requirements. This
includes use of the standards guidance by internal and external
auditors as well as internal and
external stakeholders (including customers and potential
customers).
ISO/IEC 27002:2005, “Information Technology—Security
Techniques—Code
of Practice for Information Security,” 15
establishes guidelines and general principles for initiating,
implementing,
maintaining, and improving information security management in
an orga-
nization and is identical to the previous published standard, ISO
17799. The
objectives outlined provide general guidance on the commonly
accepted goals
of information security management. ISO/IEC 27002:2005
contains best
practices of control objectives and controls in the following
areas of informa-
tion security management:
■ security policy;
18. ■ organization of information security;
■ asset management;
■ human resources security;
■ physical and environmental security;
■ communications and operations management;
■ access control;
■ information systems acquisition, development, and
maintenance;
■ information security incident management;
■ business continuity management; and
■ compliance.
The control objectives and controls in ISO/IEC 27002:2005 are
intended to
be implemented to meet the requirements identifi ed by a risk
assessment. ISO/
IEC 27002:2005 is intended as a common basis and practical
guideline for de-
veloping organizational security standards and effective
security management
practices, and to help build confi dence in inter-organizational
activities.
ISO 31000 is a broad risk management standard that applies
to all types of
businesses.
INFORMATION GOVERNANCE POLICY DEVELOPMENT 79
ISO/IEC 38500:2008 is an international standard that provides
high-level prin-
ciples and guidance for senior executives and directors, and
those advising them, for
the effective and effi cient use of IT.16 Based primarily on AS
19. 8015, the Australian IT
governance standard, it “applies to the governance of
management processes” that are
performed at the IT service level, but the guidance assists
executives in monitoring IT
and ethically discharging their duties with respect to legal and
regulatory compliance
of IT activities.
The ISO 38500 standard comprises three main sections:
1. Scope, Application and Objectives
2. Framework for Good Corporate Governance of IT
3. Guidance for Corporate Governance of IT
It is largely derived from AS 8015, the guiding principles of
which were:
■ Establish responsibilities
■ Plan to best support the organization
■ Acquire validly
■ Ensure performance when required
■ Ensure conformance with rules
■ Ensure respect for human factors
The standard also has relationships with other major ISO
standards, and em-
braces the same methods and approaches. It is certain to have a
major impact
upon the IT governance landscape. 17
Records and E-Records Management
ISO 15489–1:2001 is the international standard for RM. It
identifi es the elements
of RM and provides a framework and high-level overview of
20. RM core principles. RM
is defi ned as the “fi eld of management responsible for the effi
cient and systematic
control of the creation, receipt, maintenance, use and
disposition of records, including
the processes for capturing and maintaining evidence of and
information about busi-
ness activities and transactions in the form of records.”18
ISO/IEC 27001 and ISO/IEC 27002 are information security
management
systems standards that provide guidance in the development of
security
controls.
ISO 38500 is an international standard that provides high-
level principles and
guidance for senior executives and directors responsible for IT
governance.
80 INFORMATION GOVERNANCE
The second part of the standard, ISO 15489–2:2001, contains
the technical
specifi cations and a methodology for implementing the
standard, originally based
on early standards work in Australia ( Design and
Implementation of Recordkeeping
Systems—DIRKS ). Note: Although still actively used in
Australian states, the
National Archives of Australia has not recommended use of
DIRKS by Australian
national agencies since 2007 and has removed DIRKS from its
Web site.)19
21. The ISO 15489 standard makes little mention of electronic
records, as it is written to ad-
dress all kinds of records; nonetheless it was widely viewed as
the defi nitive framework
of what RM means.
In 2008, the International Council on Archives (ICA) formed a
multination-
al team of experts to develop “Principles and Functional
Requirements for Records in
Electronic Offi ce Environments,” commonly referred to as
ICA-Req. q 20 The project was
cosponsored by the Australasian Digital Recordkeeping
Initiative (ADRI), which was
undertaken by the Council of Australasian Archives and
Records Authorities, which “com-
prises the heads of the government archives authorities of the
Commonwealth of Australia,
New Zealand, and each of the Australian States and
Territories.” 21 The National Archives
of Australia presented a training and guidance manual to assist
in implementing the prin-
ciples at the 2012 International Congress on Archives Congress
in Brisbane, Australia.
In Module 1 of ICA-Req, principles are presented in a high-
level overview; Mod-
ule 2 contains specifi cations for electronic document and
records management sys-
tems (EDRMS) that are “globally harmonized”; and Module 3
contains a require-
ments set and “implementation advice for managing records in
business systems.”22
Module 3 recognizes that digital recordkeeping does not have to
be limited to the
22. EDRMS paradigm—the insight that has now been picked up by
“Modular Require-
ments for Records Systems” (MoReq2010, the European
standard released in 2011).23
Parts 1 to 3 of ISO 16175 were fully adopted in 2010–2011
based on the ICA-Req
standard. The standard may be purchased at www.ISO.org, and
additional information
on the Australian initiative may be found at www.adri.gov.au.
ISO 16175 is guidance, not a standard that can be tested and
certifi ed against. This
is the criticism by advocates of testable, certifi able standards
like U.S. DoD 5015.2 and
the European standard, MoReq2010.
In November 2011, ISO issued new standards for ERM, the fi
rst two in the ISO
30300 series, which are based on a managerial point of view
and targeted at a manage-l
ment-level audience rather than at records managers or
technical staff:
■ ISO 30300:2011 , “Information and Documentation—
Management Systems
for Records—Fundamentals and Vocabulary”
■ ISO 30301:2011 , “Information and Documentation—
Management Systems
for Records—Requirements”
ISO 15489 is the international RM standard.
The ICA-Req standard was adopted as ISO 16175. It does not
contain a testing
23. regime for certifi cation.
http://www.ISO.org
http://www.adri.gov.au
INFORMATION GOVERNANCE POLICY DEVELOPMENT 81
The standards apply to “management systems for records ”
(MSR), a term that,
as of this printing, is not typically used to refer to ERM or RM
application [RMA]
software in the United States or Europe and is not commonly
found in ERM research
or literature.
The ISO 30300 series is a systematic approach to the creation
and management
of records that is “ aligned with organizational objectives and
strategies. ” [italics added] 24
“ISO 30300 MSR ‘Fundamentals and Vocabulary’ explains the
rationale behind
the creation of an MSR and the guiding principles for its
successful implementation.
and it provides the terminology that ensures that it is
compatible with other manage-
ment systems standards.
ISO 30301 MSR ‘Requirements’ specifi es the requirements
necessary to develop
a records policy. It also sets objectives and targets for an
organization to implement
systemic improvements. This is achieved through designing
records processes and
systems; estimating the appropriate allocation of resources; and
24. establishing bench-
marks to monitor, measure, and evaluate outcomes. These steps
help to ensure that
corrective action can be taken and continuous improvements are
built into the sys-
tem in order to support an organization in achieving its
mandate, mission, strategy,
and goals.”25
Major National and Regional ERM Standards
For great detail on national and regional standards related to
ERM, see the book l
Managing Electronic Records: Methods, Best Practices, and
Technologies (Wiley 2013) by s
Robert F. Smallwood. Below is a short summary:
United States E-Records Standard
The U.S. Department of Defense 5015.2 Design Criteria
Standard for Electronic Records
Management Software Applications , standard was established
in 1997 and is endorsed by s
the leading archival authority, the U.S. National Archives and
Records Administration
(NARA). There is a testing regime that certifi es software
vendors that is adminis-
tered by JITC. JITC “builds test case procedures, writes detailed
and summary fi nal
reports on 5015.2-certifi ed products, and performs on-site
inspection of software.” 26
The DoD standard was built for the defense sector, and logically
“refl ects its govern-
ment and archives roots.”
Since its endorsement by NARA, the standard has been the key
25. requirement for
ERM system vendors to meet, not only in U.S. public sector
bids, but also in the com-
mercial sector.
The 5015.2 standard has since been updated and expanded, in
2002 and 2007,
to include requirements for metadata, e-signatures and Privacy
and Freedom of
Information Act requirements, and, as previously stated, was
scheduled for update
by 2013.
The U.S. DoD 5015.2-STD has been the most infl uential
worldwide since it
was fi rst introduced in 1997. It best suits military applications.
82 INFORMATION GOVERNANCE
Canadian Standards and Legal Considerations for Electronic
Records Management *
The National Standards of Canada for electronic records
management are: (1)
Electronic Records as Documentary Evidence CAN/CGSB-
72.34–2005 (“72.34”),
published in December 2005; and, (2) Microfi lm and
Electronic Images as Documen-
tary Evidence CAN/CGSB-72.11–93, fi rst published in 1979
and updated to 2000
(“72.11”).27 72.34 incorporates all that 72.11 deals with and
is therefore the more
important of the two. Because of its age, 72.11 should not be
relied upon for its
26. “legal” content. However, 72.11 has remained the industry
standard for “imaging”
procedures—converting original paper records to electronic
storage. The Canada
Revenue Agency has adopted these standards as applicable to
records concerning
taxation.28
72.34 deals with these topics: (1) management authorization and
accountability;
(2) documentation of procedures used to manage records; (3)
“reliability testing” of
electronic records according to existing legal rules; (4) the
procedures manual and
the chief records offi cer; (5) readiness to produce (the “prime
directive”); (6) records
recorded and stored in accordance with “the usual and ordinary
course of business”
and “system integrity,” being key phrases from the Evidence
Acts in Canada; (7) re-
tention and disposal of electronic records; (8) backup and
records system recovery;
and, (9) security and protection. From these standards
practitioners have derived
many specifi c tests for auditing, establishing, and revising
electronic records man-
agement systems. 29
The “prime directive” of these standards states: “An
organization shall always be
prepared to produce its records as evidence.”30 The duty to
establish the “prime directive”
falls upon senior management:31
5.4.3 Senior management, the organization’s own internal law-
making author-
27. ity, proclaims throughout the organization the integrity of the
organization’s records
system (and, therefore, the integrity of its electronic records) by
establishing and de-
claring:
a. the system’s role in the usual and ordinary course of
business;
b. the circumstances under which its records are made; and
c. its prime directive for all RMS [records management
system] purposes, i.e.,
an organization shall always be prepared to produce its records
as evidence.
This dominant principle applies to all of the organization’s
business records,
including electronic, optical, original paper source records,
microfi lm, and
other records of equivalent form and content.
* This section was contributed by Ken Chasse J.D., LL.M., a
records management attorney and consultant, and mem-
ber of the Law Society of Upper Canada (Ontario) and of the
Law Society of British Columbia, Canada.
The 5015.2 standard has been updated to include specifi
cations such as those
for e-signatures and FOI requirements.
INFORMATION GOVERNANCE POLICY DEVELOPMENT 83
Being the “dominant principle” of an organization’s electronic
records manage-
ment system, the duty to maintain compliance with the “prime
28. directive” should fall
upon its senior management.
Legal Considerations
Because an electronic record is completely dependent upon its
ERM system for every-
thing, compliance with these National Standards and their
“prime directive” should
be part of the determination of the “admissibility”
(acceptability) of evidence and
of electronic discovery in court proceedings (litigation) and in
regulatory tribunal
proceedings. 32
There are 14 legal jurisdictions in Canada: 10 provinces, 3
territories, and the
federal jurisdiction of the Government of Canada. Each has an
Evidence Act (the Civil
Code in the province of Quebec 33 ), which applies to legal
proceedings within its leg-
islative jurisdiction. For example, criminal law and patents and
copyrights are within
federal legislative jurisdiction, and most civil litigation comes
within provincial legisla-
tive jurisdiction. 34
The admissibility of records as evidence is determined under the
“business record” provi-
sions of the Evidence Acts.35 They require proof that a record
was made “in the usual and
ordinary course of business,” and of “the circumstances of the
making of the record.”
In addition, to obtain admissibility for electronic records, most
of the Evidence Acts
contain electronic record provisions, which state that an
electronic record is admis-
29. sible as evidence on proof of the “integrity of the electronic
record system in which the
data was recorded or stored.” 36 This is the “system integrity”
test for the admissibility
of electronic records. The word “integrity” has yet to be defi
ned by the courts. 37
However, by way of sections such as the following, the
electronic record provi-
sions of the Evidence Acts make reference to the use of
standards such as the National
Standards of Canada:
For the purpose of determining under any rule of law whether
an electronic
record is admissible, evidence may be presented in respect of
any standard,
procedure, usage or practice on how electronic records are to be
recorded or
stored, having regard to the type of business or endeavor that
used, recorded,
or stored the electronic record and the nature and purpose of the
electronic
record. 38
U.K. and European Standards
In the United Kingdom, The National Archives (TNA)
(formerly the Public Record
Offi ce, or PRO) “has published two sets of functional
requirements to promote the
development of the electronic records management software
market (1999 and 2002).”
It ran a program to evaluate products against the 2002
requirements.39 Initially these
requirements were established in collaboration with the central
30. government, and they
later were utilized by the public sector in general, and also in
other nations. The Na-
tional Archives 2002 requirements remain somewhat relevant,
although no additional
development has been underway for years. It is clear that the
second version of Model
Requirements for Management of Electronic Records, MoReq2,
largely supplanted
the UK standard, and subsequently the newer MoReq2010 may
further supplant the
UK standard.
84 INFORMATION GOVERNANCE
MoReq2010 “unbundles” some of the core requirements in
MoReq2, and sets out
functional requirements in modules. The approach seeks to
permit the later creation
of e-records software standards in various vertical industries
such as defense, health
care, fi nancial services, and legal services.
MoReq2010 is available free—all 525 pages of it (by
comparison, the U.S. DoD
5015.2 standard is less than 120 pages long). For more
information on MoReq2010,
visit www.moreq2010.eu. The entire specifi cation may be
downloaded at: http://
moreq2010.eu/pdf/moreq2010_vol1_v1_1_en.pdf.
MoReq2010
In November 2010, the DLM Forum, a European Commission–
supported body, announced the
31. availability of the fi nal draft of the MoReq2010 specifi cation
for electronic records manage-
ment systems (ERMS), following extensive public consultation.
The fi nal specifi cation
was published in mid-2011. 40
The DLM Forum explains that “With the growing demand for
[electronic] re-
cords management, across a broad spectrum of commercial, not-
for-profi t, and gov-
ernment organizations, MoReq2010 provides the fi rst practical
specifi cation against
which all organizations can take control of their corporate
information. IT software
and services vendors are also able to have their products tested
and certifi ed that they
meet the MoReq2010 specifi cation.” 41
MoReq2010 supersedes its predecessor MoReq2 and has the
continued support and backing
of the European Commission.
Australian ERM and Records Management Standards
Australia has adopted all three parts of ISO 16175 as its e-
records management
standard. 42 (For more detail on this standard go to ISO.org.)
Australia has long led the introduction of highly automated
electronic document
management systems and records management standards.
Following the approval and
release of the AS 4390 standard in 1996, the international
records management com-
munity began work on the development of an International
standard. This work used
32. AS 4390–1996 Records Management as its starting point.
Development of Australian Records Standards
In 2002 Standards Australia published a new Australian
Standard on records manage-
ment, AS ISO 15489, based on the ISO 15489 international
records management stan-
dard. It differs only in its preface verbiage. 43 AS ISO 15489
carries through all these
main components of AS 4390, but internationalizes the concepts
and brings them up
to date. The standards thereby codify Australian best practice
but are also progressive
in their recommendations.
Additional Relevant Australian Standards
The Australian Government Recordkeeping Metadata Standard
Version 2.0 pro-
vides guidance on metadata elements and subelements for
records management. It is a
baseline tool that “describes information about records and the
context in which they
are captured and used in Australian Government agencies.” This
standard is intended
to help Australian agencies “meet business, accountability and
archival requirements
http://www.moreq2010.eu
http://moreq2010.eu/pdf/moreq2010_vol1_v1_1_en.pdf
http://moreq2010.eu/pdf/moreq2010_vol1_v1_1_en.pdf
INFORMATION GOVERNANCE POLICY DEVELOPMENT 85
in a systematic and consistent way by maintaining reliable,
meaningful and accessible
33. records.” The standard is written in two parts, the fi rst
describing its purpose and
features and the second outlining the specifi c metadata
elements and subelements.44
The Australian Government Locator Service , AGLS, is
published as AS 5044–
2010, the metadata standard to help fi nd and exchange
information online. It updates
the 2002 version, and includes changes made by the Dublin
Core Metadata Initiative
(DCMI).
Another standard, AS 5090:2003, “Work Process Analysis for
Recordkeep-
ing ,” complements AS ISO 15489 and provides guidance on
understanding business g
processes and workfl ow so that recordkeeping requirements
may be determined. 45
Long-Term Digital Preservation
Although many organizations shuffl e dealing with digital
preservation issues to the
back burner, long-term digital preservation (LTDP) is a key
area in which IG policy
should be applied. LTDP methods, best practices, and standards
should be applied to
preserve an organization’s historical and vital records ( those
without which it cannot
operate or restart operations) and to maintain its corporate or
organizational memory.
The key standards that apply to LTDP are listed next.
The offi cial standard format for preserving electronic
documents is PDF/A-1, based on
34. PDF 1.4 originally developed by Adobe. ISO 19005–1:2005,
“Document Manage-
ment—Electronic Document File Format for Long-Term
Preservation—Part 1: Use
of PDF 1.4 (PDF/A-1),” is the published specifi cation for using
PDF 1.4 for LTDP,
which is applicable to e-documents that may contain not only
text characters but also
graphics (either raster or vector). 46
ISO 14721:2012 , “Space Data and Information Transfer
Systems—Open Archival
Information Systems—Reference Model (OAIS),” is applicable
to LTDP. 47 ISO 14271
“specifi es a reference model for an open archival information
system (OAIS). The pur-
pose of ISO 14721 is to establish a system for archiving
information, both digitalized
and physical, with an organizational scheme composed of
people who accept the re-
sponsibility to preserve information and make it available to a
designated commu-
nity.” 48 The fragility of digital storage media combined with
ongoing and sometimes
rapid changes in computer software and hardware poses a
fundamental challenge to
ensuring access to trustworthy and reliable digital content over
time. Eventually, ev-
ery digital repository committed to long-term preservation of
digital content must
have a strategy to mitigate computer technology obsolescence.
Toward this end, the
The ISO 30300 series of e-records standards are written for a
managerial audi-
ence and encourage ERM that is aligned to organizational
35. objectives.
LTDP is a key area to which IG policy should be applied.
86 INFORMATION GOVERNANCE
Consultative Committee for Space Data Systems developed the
OAIS reference model
to support formal standards for the long-term preservation of
space science data and
information assets. OAIS was not designed as an
implementation model.
OAIS is the lingua franca of digital preservation, as the
international digital pres-
ervation community has embraced it as the framework for viable
and technologically
sustainable digital preservation repositories. An LTDP strategy
that is OAIS compliant
offers the best means available today for preserving the digital
heritage of all organizations,
private and public. (See Chapter 17 .)
ISO TR 18492 (2005) , “ Long-Term Preservation of Electronic
Document Based
Information,” provides practical methodological guidance for
the long-term preser-
vation and retrieval of authentic electronic document-based
information, when the
retention period exceeds the expected life of the technology
(hardware and software)
used to create and maintain the information assets. ISO 18492
takes note of the role of
ISO 15489 but does not cover processes for the capture, classifi
36. cation, and disposition
of authentic electronic document-based information.
ISO 16363:2012 , “ Space Data and Information Transfer
Systems—Audit and
Certifi cation of Trustworthy Digital Repositories,” “defi nes a
recommended prac-
tice for assessing the trustworthiness of digital repositories. It
is applicable to the
entire range of digital repositories.”49 It is an audit and certifi
cation standard orga-
nized into three broad categories: Organization Infrastructure,
Digital Object Man-
agement, and Technical Infrastructure and Security Risk
Management. ISO 16363
represents the gold standard of audit and certifi cation for
trustworthy digital repositories.
(See Chapter 17 .)
Business Continuity Management
ISO 22301:2012, “Societal Security—Business Continuity
Management Systems—
Requirements,” spells out the requirements for creating and
implementing a stan-
dardized approach to business continuity management (BCM,
also known as di-
saster recovery [DR]), in the event an organization is hit with a
disaster or major
business interruption. 50 The guidelines can be applied to any
organization regard-
less of vertical industry or size. The specifi cation includes the
“requirements to
plan, establish, implement, operate, monitor, review, maintain
and continually im-
prove a documented management system to protect against,
37. reduce the likelihood
An LTDP strategy that is OAIS compliant (based on ISO
14721) offers the best
means available today for preserving the digital heritage of all
organizations.
ISO 16363 represents the gold standard of audit and certifi
cation for trustwor-
thy digital repositories.
INFORMATION GOVERNANCE POLICY DEVELOPMENT 87
of occurrence, prepare for, respond to, and recover from
disruptive incidents when
they arise.”
The UK business continuity standard, BS25999-2, which
heavily infl uenced the
newer ISO standard, was withdrawn when ISO 22301 was
released. 51 The business
rationale is that, with the increasing globalization of business,
ISO 22301 will allow
and support more consistency worldwide not only in business
continuity planning
and practices but also will promote common terms and help to
embed various ISO
management systems standards within organizations. U.S.-based
ANSI, Standards
Australia, Standards Singapore, and other standards bodies also
contributed to the
development of ISO 22301.
Benefi ts of ISO 22301
38. ■ Threat identifi cation and assessment. Discover, name, and
evaluate potential seri-
ous threats to the viability of the business.
■ Threat and recovery planning. so the impact and resultant
downtime and recov-
ery from real threats that do become incidents is minimized
■ Mission-critical process protection. Identifying key
processes and taking steps to
ensure they continue to operate even during a business
interruption.
■ Stakeholder confi dence. Shows prudent management
planning and business re-
silience to internal and external stakeholders, including
employees, business
units, customers, and suppliers. 52
Making Your Best Practices and Standards Selections to Inform
Your IG Framework
You must take into account your organization’s corporate
culture, management style,
and organizational goals when determining which best practices
and standards should
receive priority in your IG framework. However, you must step
through your business
rationale in discussions with your cross-functional IG team and
fully document the
reasons for your approach. Then you must present this approach
and your draft IG
ISO 22301 spells out requirements for creating and
implementing a standard-
39. ized approach to business continuity management.
You must take into account your organization’s corporate
culture, manage-
ment style, and organizational goals when determining which
best practice
and standards should be selected for your IG framework.
88 INFORMATION GOVERNANCE
framework to your key stakeholders and be able to defend your
determinations while
allowing for input and adjustments. Perhaps you have
overlooked some key factors
that your larger stakeholder group uncovers, and their input
should be folded into a
fi nal draft of your IG framework.
Next, you are ready to begin developing IG policies that apply
to various aspects
of information use and management, in specifi c terms. You
must detail the policies you
expect employees to follow when handling information on
various information deliv-
ery platforms (e.g., e-mail, blogs, social media, mobile
computing, cloud computing).
It is helpful at this stage to collect and review all your current
policies that apply and
to gather some examples of published IG policies, particularly
from peer organiza-
tions and competitors (where possible). Of note: You should not
just adopt another
organization’s polices and believe that you are done with policy
making. Rather, you
40. must enter into a deliberative process, using your IG framework
for guiding principles
and considering the views and needs of your cross-functional IG
team. Of paramount
importance is to be sure to incorporate the alignment of your
organizational goals and
business objectives when crafting policy.
With each policy area, be sure that you have considered the
input of your stake-
holders, so that they will be more willing to buy into and
comply with the new policies
and so that the policies do not run counter to their business
needs and required busi-
ness processes. Otherwise, stakeholders will skirt, avoid, or
halfheartedly follow the
new IG policies, and the IG program risks failure.
Once you have fi nalized your policies, be sure to obtain
necessary approvals from
your executive sponsor and key senior managers.
Roles and Responsibilities
Policies will do nothing without people to advocate, support,
and enforce them. So
clear lines of authority and accountability must be drawn , and
responsibilities must be
assigned.
Overall IG program responsibility resides at the executive
sponsor level, but
beneath that, an IG program manager should drive team
members toward mile-
stones and business objectives and should shoulder the
responsibility for day-to-day
41. program activities, including implementing and monitoring key
IG policy tasks.
These tasks should be approved by executive stakeholders and
assigned as appropri-
ate to an employee’s functional area of expertise. For instance,
the IG team member
from legal may be assigned the responsibility for researching
and determining legal
requirements for retention of business records, perhaps working
in conjunction
with the IG team member from RM, who can provide additional
input based on
interviews with representatives from business units and
additional RM research
into best practices.
Lines of authority, accountability, and responsibility must be
clearly drawn for
the IG program to succeed.
INFORMATION GOVERNANCE POLICY DEVELOPMENT 89
Program Communications and Training
Your IG program must contain a communications and training
component, as a stan-
dard function. Your stakeholder audience must be made aware
of the new policies and
practices that are to be followed and how this new approach
contributes toward the
organization’s goals and business objectives.
The fi rst step in your communications plan is to identify and
segment your stake-
42. holder audiences and to customize or modify your message to
the degree that is neces-
sary to be effective. Communications to your IT team can have
a more technical slant,
and communications to your legal team can have some legal
jargon and emphasize le-
gal issues. The more forethought you put into crafting your
communications strategy,
the more effective it will be.
That is not to say that all messages must have several
versions: Some core concepts l
and goals should be emphasized in communications to all
employees.
How should you communicate? The more ways you can get
your IG message
to your core stakeholder audiences, the more effective and
lasting the message will
be. So posters, newsletters, e-mail, text messages, internal blog
or intranet posts,
and company meetings should all be a part of the
communications mix. Remember,
the IG program requires not only training but re training, and
the aim should be
to create a compliance culture that is so prominent and expected
that employees
adopt the new practices and policies and integrate them into
their daily activities.
Ideally, employees will provide valuable input to help fi ne-tune
and improve the
IG program.
Training should take multiple avenues as well. Some can be
classroom instruc-
tion, some online learning, and you may want to create a series
43. of training videos.
But the training effort must be consistent and ongoing to
maintain high levels of IG
effectiveness. Certainly, this means you will need to add to your
new hire training pro-
gram for employees joining or transferring to your organization.
Program Controls, Monitoring, Auditing, and Enforcement
How do you know how well you are doing? You will need to
develop metrics to de-
termine the level of employee compliance, its impact on key
operational areas, and
progress made toward established business objectives.
Testing and auditing the program provides an opportunity to
give feedback to
employees on how well they are doing and to recommend
changes they may make.
But having objective feedback on key metrics also will allow
for your executive
sponsor to see where progress has been made and where
improvements need to
focus.
Communications regarding your IG program should be
consistent and clear
and somewhat customized for various stakeholder groups.
90 INFORMATION GOVERNANCE
CHAPTER SUMMARY: KEY POINTS
■ You must inform and frame IG policy with internal and
44. external frameworks,
models, best practices, and standards
■ The business user is the primary stakeholder of managed
information.
■ Information management is important at all stages of the
life cycle.
■ Legal stakeholders usually can mandate the preservation of
what is most criti-
cal, though often at great cost.
■ The IGRM was developed by the EDRM Project to foster
communication
among stakeholders and adoption of IG. It complements
ARMA’s The
Principles.
■ ISO 31000 is a broad risk management standard that applies
to all types of
businesses.
■ ISO/IEC 27001 and ISO/IEC 27002 are ISMS standards that
provide guidance
in the development of security controls.
■ ISO 15489 is the international RM standard.
■ The ICA-Req standard was adopted as ISO 16175. It does
not contain a test-
ing regime for certifi cation.
■ The ISO 30300 series of e-records standards are written for
a managerial au-
dience and encourage ERM that is aligned to organizational
45. objectives.
■ DoD 5015.2 is the U.S. ERM standard; the European ERM
standard is
MoReq2010. Australia has adopted all three parts of ISO 16175
as its
e-records management standard.
■ LTDP is a key area to which IG policy should be applied.
■ An LTDP strategy that is OAIS compliant (based on ISO
14721) offers the best
means available today for preserving the digital heritage of all
organizations.
■ ISO 16363 represents the gold standard of audit and certifi
cation for trust-
worthy digital repositories.
■ ISO 38500 is an international standard that provides high-
level principles and
guidance for senior executives and directors responsible for IT
governance.
■ ISO 22301 spells out requirements for creating and
implementing a
standardized approach to business continuity management.
Clear penalties for policy violations must be communicated to
employees so they
know the seriousness of the IG program and how important it is
in helping the orga-
nization pursue its business goals and accomplish stated
business objectives.
46. INFORMATION GOVERNANCE POLICY DEVELOPMENT 91
Notes
1. ARMA International, “Generally Accepted Recordkeeping
Principles,” www.arma.org/r2/generally-
accepted-br-recordkeeping-principles/copyright (accessed
November 25, 2013).
2. ARMA International, “Information Governance Maturity
Model,” www.arma.org/r2/generally-
accepted-br-recordkeeping-principles/metrics (accessed
November 25, 2013).
3. Electronic Discovery, “IGRM v3.0 Update: Privacy &
Security Offi cers As Stakeholders – Electronic
Discovery,” http://electronicdiscovery.info/igrm-v3-0-update-
privacy-security-offi cers-as-stakehold-
ers-electronic-discovery/ (accessed April 24, 2013).
4. EDRM, “Information Governance Reference Model
(IGRM),” www.edrm.net/projects/igrm (accessed
October 9, 2013).
5. Ibid.
6. Ibid.
7. Project Management Institute, A Guide to the Project
Management Body of Knowledge (PMBOK Guide ),
4th ed. (Newtown Square, PA, Project Management Institute,
2008), ANSI/PMI 99-001-2008,
pp. 273–312.
8. Kate Cumming, “Metadata Matters,” in Julie McLeod and
Catherine Hare, eds., Managing Electronic
47. Records , p. 34 (London: Facet, 2005).s
9. Marc Fresko, e-mail to author, May 13, 2012.
10. Hofman, “The Use of Standards and Models,” in Julie
McLeod and Catherine Hare, eds., Managing
Electronic Records , p. 34 (London: Facet, 2005) pp. 20–21. s
11. Ibid.
12. International Organization for Standardization, “ISO
31000:2009 Risk Management—Principles and
Guidelines,”
www.iso.org/iso/home/store/catalogue_tc/catalogue_detail.htm?
csnumber=43170 (accessed
April 22, 2013).
13. Ibid.
14. International Organization for Standardization, ISO/IEC
27001:2005, “Information Technology—
Security Techniques—Information Security Management
Systems—Requirements,” www.iso.org/iso/
catalogue_detail?csnumber=42103 (accessed April 22, 2013).
15. International Organization for Standardization, ISO/IEC
27002:2005, “Information Technology—
Security Techniques—Code of Practice for Information Security
Management,” www.iso.org/iso/cata-
logue_detail?csnumber=50297 (accessed July 23, 2012).
16. International Organization for Standardization, ISO/IEC
38500:2008, www.iso.org/iso/catalogue_
detail?csnumber=51639 (accessed March 12, 2013).
17. ISO 38500 IT Governance Standard, www.38500.org/
(accessed March 12, 2013).
48. 18. International Organization for Standardization, ISO
15489-1: 2001 Information and Documentation—
Records Management. Part 1: General (Geneva: ISO, 2001),
section 3.16. l
■ You must take into account your organization’s corporate
culture, manage-
ment style, and organizational goals when determining which
best practices
and standards should be selected for your IG framework.
■ Lines of authority, accountability, and responsibility must
be clearly drawn for
the IG program to succeed.
■ Communications regarding your IG program should be
consistent and clear
and somewhat customized for various stakeholder groups.
■ IG program audits are an opportunity to improve training
and compliance,
not to punish employees.
CHAPTER SUMMARY: KEY POINTS (Continued )
http://www.arma.org/r2/generally-accepted-br-recordkeeping-
principles/copyright
http://www.arma.org/r2/generally-accepted-br-recordkeeping-
principles/copyright
http://www.arma.org/r2/generally-accepted-br-recordkeeping-
principles/copyright
http://www.arma.org/r2/generally-accepted-br-recordkeeping-
principles/metrics
http://www.arma.org/r2/generally-accepted-br-recordkeeping-
principles/metrics
50. 22. Adrian Cunningham, blog post comment, May 11, 2011.
http://thinkingrecords.co.uk/2011/05/06/
how-moreq-2010-differs-from-previous-electronic-records-
management-erm-system-specifi cations/.
23. Ibid.
24. “Relationship between the ISO 30300 Series of Standards
and Other Products of ISO/TC 46/SC
11: Records Processes and Controls,” White Paper, ISO
TC46/SC11- Archives/Records Management
(March 2012), www.iso30300.es/wp-
content/uploads/2012/03/ISOTC46SC11_White_paper_rela-
tionship_30300_technical_standards12032012v6.pdf
25. Ibid.
26. Julie Gable, Information Management Journal, November
1, 2002, www.thefreelibrary.com/Everything-
+you+wanted+to+know+about+DoD+5015.2:+the+standard+is+
not+a…-a095630076.
27. These standards were developed by the CGSB (Canadian
General Standards Board), which is a stan-
dards-writing agency within Public Works and Government
Services Canada (a department of the
federal government). It is accredited by the Standards Council
of Canada as a standards development
agency. The Council must certify that standards have been
developed by the required procedures be-
fore it will designate them as being National Standards of
Canada. 72.34 incorporates by reference as
“normative references”: (1) many of the standards of the
International Organization for Standardiza-
tion (ISO) in Geneva, Switzerland. (“ISO,” derived from the
Greek word isos (equal) so as to provide s
51. a common acronym for all languages); and (2) several of the
standards of the Canadian Standards
Association (CSA). The “Normative references” section of
72.34 (p. 2) states that these “referenced
documents are indispensable for the application of this
document.” 72.11 cites (p. 2, “Applicable Pub-
lications”) several standards of the American National
Standards Institute/Association for Information
and Image Management (ANSI/AIIM) as publications
“applicable to this standard.” The process by
which the National Standards of Canada are created and
maintained is described within the standards
themselves (reverse side of the front cover), and on the CGSB’s
Web site (see, “Standards Develop-
ment”), from which Web site these standards may be obtained;
http://www.ongc-cgsb.gc.ca.
28. The Canada Revenue Agency (CRA) informs the public of
its policies and procedures by means, among
others, of its Information Circulars (IC’s), and s GST/HST
Memoranda . (GST: goods and services tax; HST:
harmonized sales tax, i.e. , the harmonization of federal and
provincial sales taxes into one retail sales tax.)
In particular, see: IC05-1 , dated June 2010, entitled,
Electronic Record Keeping , paragraphs 24, 26 and 28.g
Note that use of the National Standard cited in paragraph 26,
Microfi lm and Electronic Images as Documen-
tary Evidence CAN/CGSB-72.11-93 is mandatory for, “Imaging
and microfi lm (including microfi che)
reproductions of books of original entry and source documents .
. .” Paragraph 24 recommends the use
of the newer national standard, Electronic Records as
Documentary Evidence CAN/CGSB-72.34-2005, “To
ensure the reliability, integrity and authenticity of electronic
records.” However, if this newer standard is
given the same treatment by CRA as the older standard, it will
52. be made mandatory as well. And similar
statements appear in the GST Memoranda, Computerized
Records 500-1-2, s Books and Records 500-1. IC05-s
1. Electronic Record Keeping , concludes with the note, “Most
Canada Revenue Agency publications areg
available on the CRA Web site www.cra.gc.ca under the
heading ‘Forms and Publications.’”
29. There are more than 200 specifi c compliance tests that can
be applied to determine if the principles
of 72.34 are being complied with. The analysts—a combined
team of records management and legal
expertise—analyze: (1) the nature of the business involved; (2)
the uses and value of its records for its
various functions; (3) the likelihood and risk of the various
types of its records being the subject of legal
proceedings, or of their being challenged by some regulating
authority; and (4) the consequences of the
unavailability of acceptable records—for example, the
consequences of its records not being accepted
in legal proceedings. Similarly, in regard to the older National
Standard of Canada, 72.11, there is a
comparable series of more than 50 tests that can be applied to
determine the state of compliance with
its principles.
30. Electronic Records as Documentary Evidence
CAN/CGSB-72.34-2005 (“72.34”), clause 5.4.3 c) at p. 17;
and Microfi lm and Electronic Images as Documentary
Evidence CAN/CGSB-72.11-93 (“72.11”), paragraph
4.1.2 at p. 2, supra note 49.
31. 72.34, Clause 5.4.3, ibid.
32. “Admissibility” refers to the procedure by which a
presiding judge determines if a record or other
53. proffered evidence is acceptable as evidence according the rules
of evidence. “Electronic discovery”
http://www.naa.gov.au/records-
management/publications/DIRKS-manual.aspx
http://www.caara.org.au/
http://thinkingrecords.co.uk/2011/05/06/how-moreq-2010-
differs-from-previous-electronic-records-management-erm-
system-specifications/
http://www.iso30300.es/wp-
content/uploads/2012/03/ISOTC46SC11_White_paper_rela-
tionship_30300_technical_standards12032012v6.pdf
http://www.iso30300.es/wp-
content/uploads/2012/03/ISOTC46SC11_White_paper_rela-
tionship_30300_technical_standards12032012v6.pdf
http://www.iso30300.es/wp-
content/uploads/2012/03/ISOTC46SC11_White_paper_rela-
tionship_30300_technical_standards12032012v6.pdf
http://www.thefreelibrary.com/Everything-
+you+wanted+to+know+about+DoD+5015.2:+the+standard+is+
not+a%E2%80%A6-a095630076
http://www.thefreelibrary.com/Everything-
+you+wanted+to+know+about+DoD+5015.2:+the+standard+is+
not+a%E2%80%A6-a095630076
http://www.ongc-cgsb.gc.ca
http://www.cra.gc.ca
http://www.naa.gov.au/records-
management/publications/DIRKS-manual.aspx
http://thinkingrecords.co.uk/2011/05/06/how-moreq-2010-
differs-from-previous-electronic-records-management-erm-
system-specifications/
http://www.ica.org/11696/activities-and-projects/icareq-
principles-and-functional-requirements-for-records-in-
electronic-office-environments-guidelines-and-training-
material.html
http://www.ica.org/11696/activities-and-projects/icareq-
54. principles-and-functional-requirements-for-records-in-
electronic-office-environments-guidelines-and-training-
material.html
http://www.ica.org/11696/activities-and-projects/icareq-
principles-and-functional-requirements-for-records-in-
electronic-office-environments-guidelines-and-training-
material.html
INFORMATION GOVERNANCE POLICY DEVELOPMENT 93
is the compulsory exchange of relevant records by the parties to
legal proceedings prior to trial.” As
to the admissibility of records as evidence see: Ken Chasse,
“The Admissibility of Electronic Business
Records” (2010), 8 Canadian Journal of Law and Technology
105; and Ken Chasse, “Electronic Re-
cords for Evidence and Disclosure and Discovery” (2011) 57
The Criminal Law Quarterly 284. For the
electronic discovery of records see: Ken Chasse, “Electronic
Discovery— Sedona Canada is Inadequate
on Records Management—Here’s Sedona Canada in Amended
Form,” Canadian Journal of Law and Tech-
nology 9 (2011): 135; and Ken Chasse, “Electronic Discovery
in the Criminal Court System,” Canadian
Criminal Law Review 14 (2010): 111. See also note 18 infra ,
and accompanying text.
33. For the province of Quebec, comparable provisions are
contained in Articles 2831-2842, 2859-2862,
2869-2874 of Book 7 “Evidence” of the Civil Code of Quebec,
S.Q. 1991, c. C-64, to be read in con-
junction with, An Act to Establish a Legal Framework for
Information Technology, R.S.Q. 2001,
c. C-1.1, ss. 2, 5-8, and 68.
55. 34. For the legislative jurisdiction of the federal and provincial
governments in Canada, see The Constitu-
tion Act, 1867 (U.K.) 30 & 31 Victoria, c. 3, s. 91 (federal), and
s. 92 (provincial), www.canlii.org/en/ca/
laws/stat/30—31-vict-c-3/latest/30—31-vict-c-3.html.
35. The two provinces of Alberta and Newfoundland and
Labrador do not have business record provisions
in their Evidence Acts. Therefore “admissibility” would be
determined in those jurisdictions by way of
the court decisions that defi ne the applicable common law
rules; such decisions as, Ares v. Venner [1970]r
S.C.R. 608, 14 D.L.R. (3d) 4 (S.C.C.), and decisions that have
applied it.
36. See for example, the Canada Evidence Act, R.S.C. 1985, c.
C-5, ss. 31.1-31.8; Alberta Evidence Act,
R.S.A. 2000, c. A-18, ss. 41.1-41.8; (Ontario) Evidence Act,
R.S.O. 1990, c. E.23, s. 34.1; and the (Nova
Scotia) Evidence Act, R.S.N.S. 1989, c. 154, ss. 23A-23G. The
Evidence Acts of the two provinces
of British Columbia and Newfoundland and Labrador do not
contain electronic record provisions.
However, because an electronic record is no better than the
quality of the record system in which it is
recorded or stored, its “integrity” (reliability, credibility) will
have to be determined under the other
provincial laws that determine the admissibility of records as
evidence.
37. The electronic record provisions have been in the Evidence
Acts in Canada since 2000. They have been
applied to admit electronic records into evidence, but they have
not yet received any detailed analysis
by the courts.
56. 38. This is the wording used in, for example, s. 41.6 of the
Alberta Evidence Act, s. 34.1(8) of the (Ontario)
Evidence Act; and s. 23F of the (Nova Scotia) Evidence Act,
supra note 10. Section 31.5 of the Canada
Evidence Act, supra note 58, uses the same wording, the only
signifi cant difference being that the word
“document” is used instead of “record.” For the province of
Quebec, see sections 12 and 68 of, An Act
to Establish a Legal Framework for Information Technology,
R.S.Q., chapter C-1.1.
39. “Giving Value: Funding Priorities for UK Archives 2005–
2010, a key new report launched by the Na-
tional Council on Archives (NCA) in November 2005,”
www.nationalarchives.gov.uk/documents/stan-
dards_guidance.pdf (accessed October 15, 2012).
40. DLM Forum Foundation, MoReq2010 ® : Modular
Requirements for Records Systems—Volume 1: Core Ser-
vices & Plug-in Modules, 2011, http://moreq2010.eu/ (accessed
May 7, 2012, published in paper form ass
ISBN 978-92-79-18519-9 by the Publications Offi ce of the
European Communities, Luxembourg.
41. DLM Forum, Information Governance across Europe,
www.dlmforum.eu/ (accessed December 14,
2010).
42. National Archives of Australia, “Australian and
International Standards,” 2012, www.naa.gov.au
/records-management/strategic-
information/standards/ASISOstandards.aspx (accessed July 16,
2012).
43. E-mail to author from Marc Fresko, May 13, 2012.
44. National Archives of Australia, “Australian Government
57. Recordkeeping Metadata Standard,” 2012,
www.naa.gov.au/records-management/publications/agrk-
metadata-standard.aspx (accessed July 16,
2012).
45. National Archives of Australia, “Australian and
International Standards,” 2012, www.naa.gov.au
/records-management/strategic-
information/standards/ASISOstandards.aspx (accessed July 16,
2012).
46. International Organization for Standardization, ISO 19005-
1:2005, “Document Management—
Electronic Document File Format for Long-Term Preservation—
Part 1: Use of PDF 1.4 (PDF/A-1),”
www.iso.org/iso/catalogue_detail?csnumber=38920 (accessed
July 23, 2012).
47. International Organization for Standardization, ISO
14721:2012, “Space Data and Information Trans-
fer Systems Open Archival Information System—Reference
Model,” www.iso.org/iso/iso_catalogue/
catalogue_ics/catalogue_detail_ics.htm?csnumber=57284
(accessed November 25, 2013).
48. Ibid.
49. International Organization for Standardization, ISO
16363:2012, “Space Data and Information
Transfer Systems—Audit and Certifi cation of Trustworthy
Digital Repositories,” www.iso.org/iso/
iso_catalogue/catalogue_tc/catalogue_detail.htm?csnumber=565
10 (accessed July 23, 2012).
http://www.canlii.org/en/ca/laws/stat/30%E2%80%9431-vict-c-
59. nuity Management Systems—Requirements,”
www.iso.org/iso/catalogue_detail?csnumber=50038 (ac-
cessed April 21, 2013).
51. International Organization for Standardization, “ISO
Business Continuity Standard 22301 to Replace
BS 25999-2,”
www.continuityforum.org/content/news/165318/iso-business-
continuity-standard-22301-
replace-bs-25999-2 (accessed April 21, 2013).
52. BSI, “ISO 22301 Business Continuity Management,”
www.bsigroup.com/en-GB/iso-22301-business-
continuity (accessed April 21, 2013).
http://www.iso.org/iso/catalogue_detail?csnumber=50038
http://www.continuityforum.org/content/news/165318/iso-
business-continuity-standard-22301-replace-bs-25999-2
http://www.continuityforum.org/content/news/165318/iso-
business-continuity-standard-22301-replace-bs-25999-2
http://www.bsigroup.com/en-GB/iso-22301-business-continuity
http://www.bsigroup.com/en-GB/iso-22301-business-continuity
http://www.bsigroup.com/en-GB/iso-22301-business-continuity
PART THREE
Information
Governance
Key Impact
Areas Based
on the IG
Reference
Model
60. 97
Business
Considerations for
a Successful IG
Program
C H A P T E R 7
By Barclay T. Blair
The business case for information governance (IG) programs
has historically been diffi cult to justify. It is hard to apply a
strict, short-term return on invest-ment (ROI) calculation. A lot
of time, effort, and expense is involved before true
economic benefi ts can be realized. So a commitment to the long
view and an un-
derstanding of the many areas where an organization will
improve as a result of a
successful IG program are needed. But the bottom line is that
reducing exposure to
business risk, improving the quality and security of data and e-
documents, cutting out
unneeded stored information, and streamlining information
technology (IT) develop-
ment while focusing on business results add up to better
organizational health and
viability and, ultimately, an improved bottom line.
Let us take a step back and examine the major issues affecting
information costing
and calculating the real cost of holding information, consider
Big Data and e-discov-
ery ramifi cations, and introduce some new concepts that may
61. help frame information
costing issues differently for business managers. Getting a good
handle on the true
cost of information is essential to governing it properly, shifting
resources to higher-
value information, and discarding information that has no
discernible business value
and carries inherent, avoidable risks.
Changing Information Environment
The information environment is changing. Data volumes are
growing, but unstructured
information (such as e-mail, word processing documents, social
media posts) is grow-
ing faster than our ability to manage it. Some unstructured
information has more
structure than others containing some identifi able metadata
(e.g., e-mail messages all
have a header, subject line, time/date stamp, and message
body). This is often termed
as semistructured information, but for purposes of this book,
we use the term “unstruc-d
tured information” to include semistructured information as
well.
The volume of unstructured information is growing
dramatically. Analysts estimate
that, over the next decade, the amount of data worldwide will
grow by 44 times (from
.8 zettabytes to 35 zettabytes: 1 zettabyte = 1 trillion
gigabytes). 1 However, the volume
98 INFORMATION GOVERNANCE
62. of unstructured information will actually grow 50 percent
faster than structured data.
Analysts also estimate that fully 90 percent of unstructured
information will require
formal governance and management by 2020. In other words,
the problem of unstruc-
tured IG is growing faster than the problem of data volume
itself.
What makes unstructured information so challenging? There
are several factors,
including
■ Horizontal versus vertical. Unstructured information is
typically not clearly at-
tached to a department or a business function. Unlike the
vertical focus of an
enterprise resource planning (ERP) database, for example, an e-
mail system
serves multiple business functions—from employee
communication to fi ling
with regulators—for all parts of the business. Unstructured
information is
much more horizontal, making it diffi cult to develop and apply
business rules.
■ Formality. The tools and applications used to create
unstructured information
often engender informality and the sharing of opinions that can
be problematic
in litigation, investigations, and audits—as has been repeatedly
demonstrated
in front-page stories over the past decade. This problem is not
likely to get any
easier as social media technologies and mobile devices become
63. more common
in the enterprise.
■ Management location. Unstructured information does not
have a single, obvious
home. Although e-mail systems rely on central messaging
servers, e-mail is just
as likely to be found on a fi le share, mobile device, or laptop
hard drive. This
makes the application of management rules more diffi cult than
the application
of the same rules in structured systems, where there is a close
marriage between
the application and the database.
■ “Ownership” issues. Employees do not think that they “own”
data in an accounts
receivable system like they “own” their e-mail or documents
stored on their
hard drive. Although such information generally has a single
owner (i.e., the
organization itself), this non-ownership mind-set can make the
imposition of
management rules for unstructured information more
challenging than for
structured data.
■ Classifi cation. The business purpose of a database is
generally determined prior
to its design. Unlike structured information, the business
purpose of unstruc-
tured information is diffi cult to infer from the application that
created or stores
the information. A word processing fi le stored in a
collaboration environment
could be a multimillion-dollar contract or a lunch menu. As
64. such, classifi ca-
tion of unstructured content is more complex and expensive
than structured
information.
Taken together, these factors reveal a simple truth: Managing
unstructured infor-
mation is a separate and distinct discipline from managing
databases. It requires different
The problem of unstructured IG is growing faster than the
problem of data
volume itself.
BUSINESS CONSIDERATIONS FOR A SUCCESSFUL IG
PROGRAM 99
methods and tools. Moreover, determining the costs and benefi
ts of owning and man-
aging unstructured information is a unique—but critical—
challenge.
The governance of unstructured information creates enormous
complexity and
risk for business managers to consider while making it diffi cult
for organizations to
generate real value from all this information. Despite the
looming crisis, most organi-
zations have limited ability to quantify the real cost of owning
and managing unstruc-
tured information. Determining the total cost of owning
unstructured information
is an essential precursor to managing and monetizing that
information while cutting
65. information costs—key steps in driving profi t for the
enterprise.
Storing things is cheap . . . I’ve tended to take the attitude,
“Don’t throw elec-
tronic things away.”
—Data scientist quoted in Anne Eisenberg, “What 23 Years of
E-Mail May
Say About You,” New York Times, ” April 7, 2012
The company spent $900,000 to produce an amount of data
that would con-
sume less than one-quarter of the available capacity of an
ordinary DVD.
— Nicholas M. Pace and Laura Zakaras, “Where the Money
Goes:
Understanding Litigant Expenditures for Producing Electronic
Discovery,” RAND Institute for Civil Justice, 2012
Calculating Information Costs
We are not very good at fi guring out what information costs—
truly costs. Many orga-
nizations act as if storage is an infi nitely renewable resource
and the only cost of in-
formation. But, somehow, enterprise storage spending rises each
year and IT support
costs rise, even as the root commodity (disk drives) grows ever
cheaper and denser.
Obviously, they are not considering labor and overhead costs
incurred with managing
information, and the additional knowledge worker time wasted
sifting through moun-
66. tains of information to fi nd what they need.
Some of this myopic focus on disk storage cost is simple
ignorance. The executive
who concludes that a terabyte costs less than a nice meal at a
restaurant after browsing
storage drives on the shelves of a favorite big-box retailer on
the weekend is of little
help.
Rising information storage costs cannot be dismissed. Each
year the billions that or-
ganizations worldwide spend on storage grows, even though the
cost of a hard drive
is less than 1 percent of what it was about a decade ago. We
have treated storage as a
resource that has no cost to the organization outside of the
initial capital outlay and
basic operational costs. This is shortsighted and outdated.
Some of the reason that managers and executives have diffi
culty comprehending
the true cost of information is old-fashioned miscommunication.
IT departments do
not see (or pay for) the full cost of e-discovery and litigation.
Even when IT “part-
ners” with litigators, what IT learn rarely drives strategic IT
decisions. Conversely,
law departments (and outside fi rms) rarely own and pay for the
IT consequences of
their litigation strategies. It is as if when the litigation fi re
needs to be put out, nobody
calculates the cost of gasoline and water for the fi re trucks.
67. 100 INFORMATION GOVERNANCE
But calculating the cost of information—especially information
that does not sit
neatly in the rows and columns of enterprise database “systems
of record”—is complex.
It is more art than science. And it is more politics than art.
There is no Aristotelian
Golden Mean for information.
The true cost of mismanaging information is much more
profound than simply
calculating storage unit costs. It is the cost of opportunity
lost—the lost benefi t of in-
formation that is disorganized, created and then forgotten, cast
aside and left to rot.
It is the cost of information that cannot be brought to market.
Organizations that realize
this, and invest in managing and leveraging their unstructured
information, will be the
winners of the next decade.
Most organizations own vast pools of information that is
effectively “dark”: They
do not know what it is, where it is, who is responsible for
managing it, or whether it
is an asset or a liability. It is not classifi ed, indexed, or
managed according to the or-
ganization’s own policies. It sits in shared drives, mobile
devices, abandoned content
systems, single-purpose cloud repositories, legacy systems, and
outdated archives.
And when the light is fi nally fl icked on for the fi rst time by
an intensive hunt for
information during e-discovery, this dark information can turn
68. out to be a liability. An
e-mail message about “paying off fat people who are a little
afraid of some silly lung
problem” might seem innocent—until it is placed in front of a
jury as evidence that a
drug company did not care that its diet drug was allegedly
killing people. 2
The importance of understanding the total cost of owning
unstructured informa-
tion is growing. We are at the beginning of a “seismic economic
shift” in the informa-
tion landscape, one that promises to not only “reinvent society,”
(according to an MIT
data scientist) but also to create “the new oil . . . a new asset
class touching all aspects
of society.” 3
Big Data Opportunities and Challenges
We are entering the epoch of Big Data—an era of Internet-scale
enterprise infrastruc-
ture, powerful analytical tools, and massive data sets from
which we can potentially
wring profound new insights about business, society, and
ourselves. It is an epoch that,
according to the consulting fi rm McKinsey, promises to save
the European Union
public sector billions of euros, increase retailer margins by 60
percent, and reduce U.S.
national health care spending by 8 percent, while creating
hundreds of thousands of
jobs. 4 Sounds great, right?
However, the early days of this epoch are unfolding in almost
total ignorance
69. of the true cost of information. In the near nirvana contemplated
by some Big Data
Smart leaders across industries will see using big data for what
it is: a manage-
ment revolution.
—Andrew McAfee and Erik Brynjolfsson, “Big Data: The
Management
Revolution,” Harvard Business Review ” (October 2012)
BUSINESS CONSIDERATIONS FOR A SUCCESSFUL IG
PROGRAM 101
proponents, all data is good, and more data is better . Yet it
would be an exaggeration to r
say that there is no awareness of potential Big Data downsides.
A recent study by the
Pew Research Center was positive overall but did note concerns
about privacy, social
control, misinformation, civil rights abuses, and the possibility
of simply being over-
whelmed by the deluge of information. 5
But the real-world burdens of managing, protecting, searching,
classifying, retain-
ing, producing, and migrating unstructured information are
foreign to many Big Data
cheerleaders. This may be because the Big Data hype cycle 6
is not yet in the “trough
of disillusionment” where the reality of corporate culture and
complex legal require-
ments sets in. But set in it will, and when it does, the demand
for intelligent analysis of
70. costs and benefi ts will be high.
IG professionals must be ready for these new challenges and
opportunities—ready
with new models for thinking about unstructured information.
Models that calculate
the risks of keeping too much of the wrong information as well
as the s benefi ts of clean,s
reliable, and accessible pools of the right information. Models
that drive desirable
behavior in the enterprise, and position organizations to succeed
on the “next frontier
for innovation, competition, and productivity.”7
Full Cost Accounting for Information
It is diffi cult for organizations to make educated decisions
about unstructured infor-
mation without knowing its full cost. Models like total cost of
ownership (TCO) and
ROI are designed for this purpose and have much in common
with full cost account-
ing (FCA) models. FCA seeks to create a complete picture of
costs that includes past, g
future, direct, and indirect costs rather than direct cash outlays
alone.
FCA has been used for many purposes, including the decidedly
earthbound task
of determining what it costs to take out the garbage and the
loftier task of calculating
how much the International Space Station really costs. A
closely related concept, often
called triple bottom line, has gained traction in the world of
environmental account-
ing, positing that organizations must take into account societal
71. and environmental
costs as well as monetary costs.
The U.S. Environmental Protection Agency promotes the use of
FCA for mu-
nicipal waste management, and several states have adopted laws
requiring its use. It
is fascinating—and no accident—that this accounting model has
been widely used to
calculate the full cost of managing an unwanted by-product of
modern life. The anal-
ogy to outdated, duplicate, and unmanaged unstructured
information is clear.
Applying the principles of FCA to information can increase
cost transparency
and drive better management decisions. In municipal garbage
systems where citizens
do not see a separate bill for taking out the garbage, it is more
diffi cult to get new
IG professionals must be ready with new models that
calculate the risks of stor-
ing too much of the wrong information and also the benefi ts of
clean, reliable,
accessible information.
102 INFORMATION GOVERNANCE
spending on waste management approved. 8 Without visibility
into the true cost, how
can citizens—or CEOs—make informed decisions?
Responsible, innovative managers and executives should
72. investigate FCA models for
calculating the total cost of owning unstructured information.
Consider costs such as:
■ General and administrative costs, such as cost of IT
operations and personnel,
facilities, and technical support.
■ Productivity gains or losses related to the information. s
■ Legal and e-discovery costs associated with the information
and information systems. y
■ Indirect costs, such as the accounting, billing, clerical
support, contract manage-
ment, insurance, payroll, purchasing, and so on.
■ Up-front costs, such as the acquisition of the system,
integration and confi gura-
tion, and training. This should include the depreciation of
capital outlays.
■ Future costs, such as maintenance, migration, and
decommissioning of informa-
tion systems. Future outlays should be amortized.
Calculating the Cost of Owning Unstructured Information
Any system designed to calculate the cost or benefi t of a
business strategy is inher-
ently political. That is, it is an argument designed to convince
an t audience. Well-known
models like TCO and ROI are primarily decision tools designed
to help organizations
predict the economic consequences of a decision. While there
are certainly objective
truths about the information environment, human decision
73. making is a complex and
imperfect process. There are plenty of excellent guides on how
to create a standard
TCO or ROI. That is not our purpose here. Rather, we want to
inspire creative think-
ing about how to calculate the cost of owning unstructured
information and help or-
ganizations minimize the risk—and maximize the value—of
unstructured information.
Any economic model for calculating the cost of unstructured
information depends
on reliable facts. But facts can be hard to come by. A client
recently went in search of an
accurate number for the annual cost per terabyte of Tier 1
storage in her company. The
company’s storage environment was completely outsourced,
leading her to believe that
the number would be transparent and easy to fi nd. However,
after days spent poring over
the massive contract, she was no closer to the truth. Although
there was a line item for
storage costs, the true costs were buried in “complexity fees”
and other opaque terms.
Organizations need tools that help them establish facts about
their unstructured
information environment. The business case for better
management depends on these
facts. Look for tools that can help you:
■ Find unstructured information wherever it resides across the
enterprise, including s
e-mail systems, shared network drives, legacy content
management systems,
and archives.
74. Organizations can learn from accounting models used by
cities to calculate the
total cost of managing municipal waste and apply them to the
IG problem.
BUSINESS CONSIDERATIONS FOR A SUCCESSFUL IG
PROGRAM 103
■ Enable fast and intuitive access to basic metrics , such as
size, date of last access,s
and fi le type.
■ Provide sophisticated analysis of the nature of the content
itself to drive classifi ca-s
tion and information life cycle decisions.
■ Deliver visibility into the environment through dashboards
that are easy to fors
nonspecialists to confi gure and use.
Sources of Cost
Unstructured information is ubiquitous. It is typically not the
product of a single-pur-
pose business application. It often has no clearly defi ned
owner. It is endlessly duplicat-
ed and transmitted across the organization. Determining where
and how unstructured
information generates cost is diffi cult.
However, doing so is possible. Our research shows that at
least 10 key factors that s
drive the total cost of owning unstructured information. These
75. 10 factors identify
where organizations typically spend money throughout the life
cycle of managing un-
structured information. These factors are listed in Figure 7.1
, along with examples of
elements that typically increase cost (“Cost Drivers,” on the
left side) and elements that
typically reduce costs (“Cost Reducers,” on the right side).
1. E-discovery: fi nding, processing, and producing
information to support law-
suits, investigations, and audits. Unstructured information is
typically the
most common target in e-discovery, and a poorly managed
information
environment can add millions of dollars in cost to large
lawsuits. Simply
reviewing a gigabyte of information for litigation can cost
$14,000 or
more. 9
2. Disposition: getting rid of information that no longer has
value because it
is duplicate, out of date, or has no value to the business. In
poorly man-
aged information environments, separating the wheat from the
chaff can
cost large organizations millions of dollars. For enterprises with
frequent
litigation, the risk of throwing away the wrong piece of
information only
increases risk and cost. Better management and smart IG tools
drive costs
down.
3. Classifi cation and organization: keeping unstructured
76. information organized so
that employees can use it. It also is necessary so management
rules supporting
privacy, privilege, confi dentiality, retention, and other
requirements can be
applied.
4. Digitization and automation. Many business processes
continue to be a combi-
nation of digital, automated steps and paper-based, manual
steps. Automating
Identifying and building consensus on the sources of cost for
unstructured
information is critical to any TCO or ROI calculation. It is
critical that all stake-
holders agree on these sources, or they will not incorporate the
output of the
calculation in their strategy and planning.
104 INFORMATION GOVERNANCE
and digitizing these processes requires investment but also can
drive signifi -
cant returns. For example, studies have shown that automating
accounts pay-
able “can reduce invoice processing costs by 90 percent.”10
5. Storage and network infrastructure: the cost of the devices,
networks, software,
and labor required to store unstructured information. Although
the cost of
the baseline commodity (i.e., a gigabyte of storage space)
continues to fall, for
77. most organizations overall volume growth and complexity
means that storage
budgets go up each year. For example, between 2000 and 2010,
organization
more than doubled the amount they spent on storage-related
software even
though the cost of raw hard drive space dropped by almost 100
times. 11
6. Information search, access, and collaboration: the cost of
hardware, software, and
services designed to ensure that information is available to
those who need
it, when they need it. This typically includes enterprise content
management
systems, enterprise search, case management, and the
infrastructure necessary
to support employee access and use of these systems.
7. Migration: the cost of moving unstructured information from
outdated sys-
tems to current systems. In poorly managed information
environments, the
cost of migration can be very high—so high that some
organizations maintain
legacy systems long after they are no longer supported by the
vendor just to
avoid (more likely, simply to defer ) the migration cost and
complexity.rr
8. Policy management and compliance: the cost of developing,
implementing,
enforcing, and maintaining IG policies on unstructured
information. Good
policies, consistently enforced, will drive down the total cost of
owning un-
78. structured information.
9. Discovering and structuring business processes: the cost of
identifying, improv-
ing, and systematizing or “routinizing” business processes that
are currently
ad hoc and disorganized. Typical examples include contract
management and
Cost Drivers: Examples
Outdoted, unenforced policies
Poorly defined information
ownership and governance
Open loop, reactive
e-discovery processes
Uncontrolled information
respositiories
Modernist, paper-focused
information rules
Ad hoc, unstructured
business processes
Disconnected governance
programs
Formal, communicated, and
enforced policies
Automated classification and
organization
80. E-Discovery
Disposition
Classification and Organization
Digitization and Automation
Storage and Network Infrastructure
Information Search, Access, Collaboration
Migration
Policy Management and Compliance
Discovering and Structuring Business Processes
Knowledge Capture and Transfer
Figure 7.1 Key Factors Driving Cost
Source: Barclay T. Blair
BUSINESS CONSIDERATIONS FOR A SUCCESSFUL IG
PROGRAM 105
accounts receivable as well as revenue-related activities, such
as sales and cus-
tomer support. Moving from informal e-mail and document-
based processes
to fi xed work fl ows drives down cost.
10. Knowledge capture and transfer: the cost of capturing
critical business knowl-
81. edge held at the department and employee level and putting that
information
in a form that enables other employees and parts of the
organization to ben-
efi t from it. Examples include intranets and their more
contemporary cousins
such as wikis, blogs, and enterprise social media platforms.
The Path to Information Value
At its peak during World War II, the Brooklyn Navy Yard had
70,000 people coming
to work every day. The site was once America’s premier
shipbuilding facility, build-
ing the steam-powered Ohio in 1820 and the aircraft carrier
USS Independence in the
1950s. But the site fell apart after it was decommissioned in the
1960s. Today, an
“Admiral’s Row” of Second Empire–style mansions once
occupied by naval offi cers
are an extraordinary sight, with gnarled oak trees pushing
through the rotting
mansard roofs. 12
Seventy percent of managers and executives say data are
“extremely impor-
tant” for creating competitive advantage. “The key, of course, is
knowing
which data matter, who within a company needs them, and fi
nding ways to
get that data into users’ hands.”
— The Economist Intelligence Unit, “Levelling the Playing
Field: How
Companies Use Data to Create Advantage” (January 2011)
82. However, after decades of decay, the Navy Yard is being
reborn as the home of YY
hundreds of businesses—from major movie studios to artisanal
whisky makers—taking
advantage of abundant space and a desirable location. There
were three phases in the
yard’s rebirth:
1. Clean. Survey the site to determine what had value and
what did not. Dispose
of toxic waste and rotting buildings, and modernize the
infrastructure.
2. Build and maintain. Implement a plan to continuously
improve, upgrade, and
maintain the facility.
3. Monetize. Lease the space.
Most organizations face a similar problem. However, our Navy
Yards are the vast YY
piles of unstructured information that were created with little
thought to how and
when the pile might go away. They are records management
programs built for a dif-
ferent era—like an automobile with a metal dashboard, six
ashtrays, and no seat belts.
Our Navy Yards are information environments no longer fi t for
purpose in the Big YY
Data era, overwhelmed by volume and complexity.
We are doing a bad job at managing information. McKinsey
estimates that in some
circumstances, companies are using up to 80 percent of their
infrastructure to store
duplicate data.13 Nearly half of respondents in a survey
83. ViaLumina recently conducted
106 INFORMATION GOVERNANCE
said that at least 50 percent of the information in their
organization is duplicate, out-
dated, or unnecessary. 14 We can do better.
1. Clean
We should put the Navy Yard’s blueprint to work, fi rst by
identifying our piles of rot-YY
ting unstructured information. Duplicate information.
Information that has not been
accessed in years. Information that no longer supports a
business process and has little
value. Information that we have no legal obligation to keep. The
economics of such
“defensible deletion” projects can be compelling simply on the
basis of recovering the
storage space and thus reallocating capital that would have
been spent on the annual storage
purchase.
2. Build and Maintain
Cleaning up the Navy Yard is only the fi rst step. We cannot
repeat the past mistakes.YY
We avoid this by building and maintaining an IG program that
establishes our infor-
mation constitution (why), laws (what), and regulations (how).
We need a corporate
governance, compliance, and audit plan that gives the program
teeth, and a technology
84. infrastructure that makes it real. It must be a defensible program
to ensure we comply
with the law and manage regulatory risk.
3. Monetize
IG is a means to an end, and that end is value creation. IG also
mitigates risk and drives
down cost. But extracting value is the key. Although
monetization and value creation
often are associated with structured data, new tools and
techniques create exciting new
opportunities for value creation from unstructured information.
For example, what if an organization could use sophisticated
analytics on the e-
mail account of their top salesperson (the more years of e-mail
the better), look for
markers of success, then train and hire salespeople based on that
template? What is
the pattern of a salesperson’s communications with customers
and prospects in her
territory? What is the substance of the communications? What is
the tone? When do
successful salespeople communicate? How are the patterns
different between suc-
cessful deals and failed deals? What knowledge and insight
resides in the thousands
of messages and gigabytes of content? The tools and techniques
of Big Data applied
to e-mail can bring powerful business insights. However, we
have to know what
questions to ask. According to Computerworld , “the hardest
part of using big data is
trying to get business people to sit down and defi ne what they
want out of the huge